| Rule ID | Title | Affected Services |
|---|---|---|
| CSPM-AZURE-2024-0001 | The Use of Guest Users Detected | Microsoft Graph API |
| CSPM-AZURE-2024-0002 | Users can Create Security Groups | Microsoft Graph API |
| CSPM-AZURE-2024-0003 | App Service Authentication is Disabled | Web |
| CSPM-AZURE-2024-0004 | Client Certificates are Disabled | Web |
| CSPM-AZURE-2024-0005 | FTP Deployment is Enabled. | Web |
| CSPM-AZURE-2024-0006 | HTTP 2.0 Disabled | Web |
| CSPM-AZURE-2024-0007 | HTTP traffic is Permitted | Web |
| CSPM-AZURE-2024-0008 | Managed Service Identities Disabled | Web |
| CSPM-AZURE-2024-0009 | Web App is using an Outdated Version of the .Net Framework | Web |
| CSPM-AZURE-2024-0010 | Web Application is using an Outdated Java Version | Web |
| CSPM-AZURE-2024-0011 | Web Application is using an Outdated PHP Version | Web |
| CSPM-AZURE-2024-0012 | Web Application is using an Outdated Python Version | Web |
| CSPM-AZURE-2024-0013 | Insecure TLS Version Detected | Web |
| CSPM-AZURE-2024-0014 | Work in Progress (WIP) – Web App is Not Utilizing the Latest Programming Language Version | App Service |
| CSPM-AZURE-2024-0015 | Key Vault, if deleted or purged, is Not Recoverable | Key Vault |
| CSPM-AZURE-2024-0016 | Key Vaults Allowing Public Network Access | Key Vault |
| CSPM-AZURE-2024-0017 | Key Vault Role Based Access Control Disabled | Key Vault |
| CSPM-AZURE-2024-0018 | Diagnostic Setting Does Not Exist | Monitor |
| CSPM-AZURE-2024-0021 | Activity Log Alert Does Not Exist For _ARG_0_ Events for Active Security Solutions | Monitor |
| CSPM-AZURE-2024-0023 | Audit Profile Does Not Capture All Activities | Monitor |
| CSPM-AZURE-2024-0024 | Enforce SSL Connection is Disabled in MySQL Database Server | DBforMySQL |
| CSPM-AZURE-2024-0029 | Network Watchers is Not Enabled | Network |
| CSPM-AZURE-2024-0030 | Network Watchers is Not Provisioned | Network |
| CSPM-AZURE-2024-0031 | Database PostgreSQL Allows Ingress 0.0.0.0/0 (Any IP) | DBforPostgreSQL |
| CSPM-AZURE-2024-0032 | PostgreSQL Connection Throttling on the server is not set to ‘ON’ | DBforPostgreSQL |
| CSPM-AZURE-2024-0033 | PostgreSQL Log Checkpoints Parameter on Server is Not Set To ‘ON’ | DBforPostgreSQL |
| CSPM-AZURE-2024-0034 | PostgreSQL Log Connections Parameter on Server is Not Set To ‘ON’ | DBforPostgreSQL |
| CSPM-AZURE-2024-0035 | PostgreSQL Log Disconnections Parameter on Server is Not Set To ‘ON’ | DBforPostgreSQL |
| CSPM-AZURE-2024-0036 | PostgreSQL Log Duration Parameter on Server is Not Set To ‘ON’ | DBforPostgreSQL |
| CSPM-AZURE-2024-0037 | PostgreSQL Server Parameter Log Retention Days is less than 4 | DBforPostgreSQL |
| CSPM-AZURE-2024-0038 | Enforce SSL Connection is Disabled in PostgreSQL Database Server | PostgreSQL |
| CSPM-AZURE-2024-0039 | No Role for Administering Resource Locks | Authorization |
| CSPM-AZURE-2024-0040 | RBAC Custom Subscription Owner Role is Not Allowed | Authorization |
| CSPM-AZURE-2024-0041 | Monitoring Agent is Not Provisioned Automatically in Security Center | Security |
| CSPM-AZURE-2024-0042 | No Security Contact Email Set in Security Center | Security |
| CSPM-AZURE-2024-0043 | “Sending Email to Security Contact on Alert” is “Off” in Security Center | Security |
| CSPM-AZURE-2024-0044 | “Sending Email to Administrators on Alert” is “Off” in Security Center | Security |
| CSPM-AZURE-2024-0045 | No Security Contact Set in Security Center | Security |
| CSPM-AZURE-2024-0046 | No Security Contact Phone Set in Security Center | Security |
| CSPM-AZURE-2024-0047 | Microsoft Cloud App Security (MCAS) is Disabled in Security Center | Security |
| CSPM-AZURE-2024-0048 | Windows Defender ATP (WDATP) is Disabled in Security Center | Security |
| CSPM-AZURE-2024-0049 | Standard Tier is Not Enabled in Security Center | Security |
| CSPM-AZURE-2024-0050 | SQL Database Allows Ingress 0.0.0.0/0 (Any IP) | SQl |
| CSPM-AZURE-2024-0052 | Auditing is Disabled for SQL Databases | SQL |
| CSPM-AZURE-2024-0053 | Threat Detection is Disabled for SQL Databases | SQL |
| CSPM-AZURE-2024-0054 | Data Encryption is Disabled for SQL Databases | SQL |
| CSPM-AZURE-2024-0055 | Threat Detection Alerts is Disabled for SQL Databases | SQL |
| CSPM-AZURE-2024-0056 | Short Threat Detection Retention Period is detected for SQL Databases | SQL |
| CSPM-AZURE-2024-0057 | Send Threat Detection Alerts is Disabled for SQL Databases | SQL |
| CSPM-AZURE-2024-0058 | Short Auditing Retention Period found on SQL Servers | SQL |
| CSPM-AZURE-2024-0059 | Azure Active Directory Admin is Not Configured on SQL Servers | SQL |
| CSPM-AZURE-2024-0060 | Auditing is Disabled on SQL Servers | SQL |
| CSPM-AZURE-2024-0061 | Advanced Threat Protection (ATP) is Disabled on SQL Servers | SQL |
| CSPM-AZURE-2024-0063 | Advanced Threat Protection is Disabled for All Types in SQL Servers | SQL |
| CSPM-AZURE-2024-0064 | Short Threat Detection Retention Period is detected on SQL Servers | SQL |
| CSPM-AZURE-2024-0065 | Send Advanced Threat Protection Alerts is Disabled on SQL Servers | SQL |
| CSPM-AZURE-2024-0066 | Vulnerability Assessment (VA) is Disabled on SQL Servers | SQL |
| CSPM-AZURE-2024-0067 | Send Email Notifications to Admins and Subscription Owners is Not Set on SQL Servers | SQL |
| CSPM-AZURE-2024-0068 | Periodic Recurring Scans is Disabled on SQL Servers | SQl |
| CSPM-AZURE-2024-0069 | Send Scan Report to is Not Configured on SQL Servers | SQL |
| CSPM-AZURE-2024-0071 | Secure Transfer (HTTPS) is Not Enforced on Storage Accounts | Storage |
| CSPM-AZURE-2024-0072 | Storage is Not Encrypted with Customer Managed Key | Storage |
| CSPM-AZURE-2024-0073 | Blob Containers Allows Public Access in Storage Accounts | Storage |
| CSPM-AZURE-2024-0074 | Storage Accounts Allows Public Access | Storage |
| CSPM-AZURE-2024-0075 | Storage Account Soft Delete is Disabled | Storage |
| CSPM-AZURE-2024-0076 | “Allow trusted Microsoft services” is Disabled on Storage Accounts | Storage |
| CSPM-AZURE-2024-0077 | Virtual Machines Disks lack Encryption | Compute |
| CSPM-AZURE-2024-0078 | Virtual Machine Extensions are Installed | Compute |
| CSPM-AZURE-2024-0079 | Virtual Machines are Not Utilizing Managed Disks | Compute |
| CSPM-AZURE-2024-0080 | OS and Data Disks are Not Encrypted with CMK in Virtual Machines | Compute |
| CSPM-AZURE-2024-0081 | Unattached Disks are Not Encrypted with CMK in Virtual Machines | Compute |
| CSPM-AZURE-2024-0082 | Ensure Security Defaults is enabled on Microsoft Entra ID | Microsoft Entra ID |
| CSPM-AZURE-2024-0085 | Ensure that ‘Allow users to remember multi-factor authentication on devices they trust’ is Disabled (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0086 | Ensure Trusted Locations Are Defined (Manual) | Microsoft Entra ID Conditional Access |
| CSPM-AZURE-2024-0087 | Ensure that an exclusionary Geographic Access Policy is considered (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0088 | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0089 | Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0090 | Ensure Multi-factor Authentication is Required for Risky Sign-ins (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0091 | Ensure Multifactor Authentication is Required for Windows Azure Service Management API (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0092 | Ensure Multifactor Authentication is Required to access Microsoft Admin Portals (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0093 | Ensure that ‘Restrict non-admin users from creating tenants’ is set to ‘Yes’ (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0094 | Ensure Guest Users Are Reviewed on a Regular Basis (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0096 | Ensure that a Custom Bad Password List is set to ‘Enforce’ for your Organization (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0100 | Ensure `User consent for applications` is set to `Do not allow user consent` (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0101 | Ensure “User consent for applications” Is Set To “Allow for Verified Publishers”(Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0102 | Ensure that ‘Users can add gallery apps to My Apps’ is set to ‘No’ (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0103 | Ensure That “Users Can Register Applications” Is Set to “No” (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0104 | Ensure That ‘Guest users access restrictions’ is set to ‘Guest user access is restricted to properties and memberships of their own directory objects’ (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0105 | Ensure that ‘Guest invite restrictions’ is set to “Only users assigned to specific admin roles can invite guest users” (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0107 | Ensure that ‘Restrict user ability to access groups features in the Access Pane’ is Set to ‘Yes’ (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0108 | Ensure that ‘Owners can manage group membership requests in the Access Panel’ is set to ‘No’ (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0109 | Ensure that ‘Users can create Microsoft 365 groups in Azure portals, API or PowerShell’ is set to ‘No’ (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0110 | Ensure that ‘Require Multi -Factor Authentication to register or join devices with Microsoft Entra ID’ is set to ‘Yes’ (Manual) | Microsoft Entra ID |
| CSPM-AZURE-2024-0113 | Ensure That Microsoft Defender for Servers Is Set to ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0114 | Ensure That Microsoft Defender for App Services Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0115 | Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0116 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0117 | Ensure That Microsoft Defender for Open Source Relational Databases Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0118 | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0119 | Ensure That Microsoft Defender for Storage Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0120 | Ensure That Microsoft Defender for Containers Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0121 | Ensure That Microsoft Defender for Key Vault Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0122 | Ensure That Microsoft Defender for DNS Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0123 | Ensure That Microsoft Defender for Resource Manager Is Set To ‘On’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0124 | Ensure that Microsoft Defender Recommendation for ‘Apply system updates’ status is ‘Completed’ (Automated) | Microsoft Defender |
| CSPM-AZURE-2024-0125 | Ensure that Microsoft Cloud Security Benchmark policies are not set to ‘Disabled’ (Manual) | Policy |
| CSPM-AZURE-2024-0126 | Ensure that Auto provisioning of ‘Vulnerability assessment for machines’ is Set to ‘On’ (Manual) | Security Center |
| CSPM-AZURE-2024-0127 | Ensure that Auto provisioning of ‘Microsoft Defender for Containers components’ is Set to ‘On’ (Automated) | Security Center |
| CSPM-AZURE-2024-0128 | Ensure That ‘Notify about alerts with the following severity’ is Set to ‘High’ (Automated) | Security |
| CSPM-AZURE-2024-0129 | Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) | Microsoft Defender |
| CSPM-AZURE-2024-0130 | Ensure That Microsoft Defender for IoT Hub Is Set To ‘On’ (Manual) | Microsoft Defender |
| CSPM-AZURE-2024-0131 | Ensure that “Enable Infrastructure Encryption” for Each Storage Account in Azure Storage is Set to “enabled” (Automated) | Storage Resource Provider |
| CSPM-AZURE-2024-0132 | Ensure that ‘Enable key rotation reminders’ is enabled for each Storage Account (Manual) | Storage Resource Provider |
| CSPM-AZURE-2024-0134 | Ensure Storage Logging is Enabled for Queue Service for ‘Read’, ‘Write’, and ‘Delete’ requests (Automated) | Storage Resource Provider |
| CSPM-AZURE-2024-0135 | Ensure that Shared Access Signature Tokens Expire Within an Hour (Manual) | Storage Resource Provider |
| CSPM-AZURE-2024-0136 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny (Automated) | Storage Resource Provider |
| CSPM-AZURE-2024-0137 | Ensure Private Endpoints are used to access Storage Accounts (Automated) | Storage Resource Provider |
| CSPM-AZURE-2024-0138 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) | Storage Resource Provider |
| CSPM-AZURE-2024-0141 | Ensure the “Minimum TLS version” for storage accounts is set to “Version 1.2” (Automated) | Storage Resource Provider |
| CSPM-AZURE-2024-0142 | Ensure ‘Cross Tenant Replication’ is not enabled (Automated) | Storage Resource Provider |
| CSPM-AZURE-2024-0143 | Ensure SQL server’s Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | SQL Database |
| CSPM-AZURE-2024-0144 | Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled (Automated) | PostgreSQL |
| CSPM-AZURE-2024-0145 | Ensure ‘Infrastructure double encryption’ for PostgreSQL Database Server is ‘Enabled’ (Automated) | PostgreSQL |
| CSPM-AZURE-2024-0146 | Ensure ‘TLS Version’ is set to ‘TLSV1.2’ (or higher) for MySQL flexible Database Server (Automated) | MySQL Flexible Servers |
| CSPM-AZURE-2024-0147 | Ensure server parameter ‘audit_log_enabled’ is set to ‘ON’ for MySQL Database Server (Manual) | MySQL Flexible Servers |
| CSPM-AZURE-2024-0148 | Ensure server parameter ‘audit_log_events’ has ‘CONNECTION’ set for MySQL Database Server (Manual) | MySQL Flexible Servers |
| CSPM-AZURE-2024-0149 | Ensure That ‘Firewalls & Networks’ Is Limited to Use Selected Networks Instead of All Networks (Automated) | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-0150 | Ensure That Private Endpoints Are Used Where Possible (Automated) | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-0151 | Use Entra ID Client Authentication and Azure RBAC where possible. (Manual) | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-0154 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics (Manual) | Network Watchers |
| CSPM-AZURE-2024-0165 | Ensure Application Insights are Configured (Automated) | App Service |
| CSPM-AZURE-2024-0166 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it (Manual) | Monitor |
| CSPM-AZURE-2024-0167-01 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Virtual Networks |
| CSPM-AZURE-2024-0167-02 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Load Balancer |
| CSPM-AZURE-2024-0167-03 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | Redis Cache |
| CSPM-AZURE-2024-0167-04 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | SQL Database |
| CSPM-AZURE-2024-0167-05 | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | SQL Database |
| CSPM-AZURE-2024-0170 | Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ (Automated) | Network Watchers |
| CSPM-AZURE-2024-0171 | Ensure that Public IP addresses are Evaluated on a Periodic Basis (Manual) | Microsoft Network |
| CSPM-AZURE-2024-0172 | Ensure an Azure Bastion Host Exists (Automated) | Virtual Networks |
| CSPM-AZURE-2024-0173 | Ensure that ‘OS and Data’ disks are encrypted with Customer Managed Key (CMK) | Compute |
| CSPM-AZURE-2024-0175 | Ensure that Only Approved Extensions Are Installed (Manual) | Compute |
| CSPM-AZURE-2024-0179 | Ensure Trusted Launch is enabled on Virtual Machines (Automated) | Compute |
| CSPM-AZURE-2024-0184 | Ensure that Private Endpoints are Used for Azure Key Vault (Manual) | Key Vault |
| CSPM-AZURE-2024-0186 | Ensure that Register with Entra ID is enabled on App Service (Automated) | App Service |
| CSPM-AZURE-2024-0187 | Ensure that Resource Locks are set for Mission -Critical Azure Resources (Manual) | Resource Management |
| CSPM-AZURE-2024-0188 | Ensure Trusted Launch is enabled on Virtual Machines (Automated) | Compute |
| CSPM-AZURE-2024-0193 | A maximum of 3 owners should be designated for your subscription | Authorization |
| CSPM-AZURE-2024-0194 | An Azure Active Directory administrator should be provisioned for SQL servers | SQL Database |
| CSPM-AZURE-2024-0198 | Audit user account status | Microsoft Entra |
| CSPM-AZURE-2024-0199 | Azure AI Services resources should have key access disabled (disable local authentication) | Azure AI Services |
| CSPM-AZURE-2024-0200 | Blocked accounts with owner permissions on Azure resources should be removed | Microsoft Entra |
| CSPM-AZURE-2024-0201 | Blocked accounts with read and write permissions on Azure resources should be removed | Microsoft Entra |
| CSPM-AZURE-2024-0206 | Function apps should use managed identity | App Service |
| CSPM-AZURE-2024-0207 | Guest accounts with owner permissions on Azure resources should be removed | Microsoft Entra |
| CSPM-AZURE-2024-0208 | Guest accounts with read permissions on Azure resources should be removed | Microsoft Entra |
| CSPM-AZURE-2024-0209 | Guest accounts with write permissions on Azure resources should be removed | Microsoft Entra |
| CSPM-AZURE-2024-0213 | Require approval for account creation | Policy |
| CSPM-AZURE-2024-0217 | Service Fabric clusters should only use Azure Active Directory for client authentication | Service Fabric |
| CSPM-AZURE-2024-0222 | Disable authenticators upon termination | Microsoft Entra |
| CSPM-AZURE-2024-0226 | Monitor privileged role assignment | Microsoft Entra |
| CSPM-AZURE-2024-0231 | Azure Defender for Azure SQL Database servers should be enabled | Microsoft Defender |
| CSPM-AZURE-2024-0242 | Accounts with owner permissions on Azure resources should be MFA enabled | Resource Management |
| CSPM-AZURE-2024-0243 | Accounts with read permissions on Azure resources should be MFA enabled | Resource Management |
| CSPM-AZURE-2024-0244 | Accounts with write permissions on Azure resources should be MFA enabled | Resource Management |
| CSPM-AZURE-2024-0247 | Audit Linux machines that have accounts without passwords | Compute |
| CSPM-AZURE-2024-0248 | Authentication to Linux machines should require SSH keys | Compute |
| CSPM-AZURE-2024-0256 | Role-Based Access Control (RBAC) should be used on Kubernetes Services | AKS |
| CSPM-AZURE-2024-0257 | Azure Cognitive Search services should use private link | Search Management |
| CSPM-AZURE-2024-0258 | Cognitive Services should use private link | Azure AI Services |
| CSPM-AZURE-2024-0259 | All Internet traffic should be routed via your deployed Azure Firewall | Virtual Networks |
| CSPM-AZURE-2024-0260 | Storage account public access should be disallowed | Storage Resource Provider |
| CSPM-AZURE-2024-0261 | All network ports should be restricted on network security groups associated to your virtual machine | Virtual Networks |
| CSPM-AZURE-2024-0262 | API Management services should use a virtual network | API Management |
| CSPM-AZURE-2024-0263 | App Configuration should use private link | App Configuration |
| CSPM-AZURE-2024-0264 | App Service apps should not have CORS configured to allow every resource to access your apps | App Service |
| CSPM-AZURE-2024-0265 | Authorized IP ranges should be defined on Kubernetes Services | AKS |
| CSPM-AZURE-2024-0267 | Azure API for FHIR should use private link | Healthcare Apis |
| CSPM-AZURE-2024-0268 | Azure Cache for Redis should use private link | Redis Cache |
| CSPM-AZURE-2024-0269 | Azure Cognitive Search service should use a SKU that supports private link | Search Management |
| CSPM-AZURE-2024-0270 | Azure Cognitive Search services should disable public network access | Search Management |
| CSPM-AZURE-2024-0271 | Azure Cosmos DB accounts should have firewall rules | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-0272 | Azure Data Factory should use private link | Data Factory |
| CSPM-AZURE-2024-0273 | Azure Event Grid domains should use private link | Event Grid |
| CSPM-AZURE-2024-0274 | Azure Event Grid topics should use private link | Event Grid |
| CSPM-AZURE-2024-0275 | Azure File Sync should use private link | Storage Sync |
| CSPM-AZURE-2024-0276 | Azure Key Vault should have firewall enabled | Key Vault |
| CSPM-AZURE-2024-0277 | Azure Key Vaults should use private link | Key Vault |
| CSPM-AZURE-2024-0278 | Azure Machine Learning workspaces should use private link | Machine Learning |
| CSPM-AZURE-2024-0279 | Azure Service Bus namespaces should use private link | Service Bus |
| CSPM-AZURE-2024-0280 | Azure SignalR Service should use private link | SignalR Service |
| CSPM-AZURE-2024-0281 | Azure Synapse workspaces should use private link | Synapse |
| CSPM-AZURE-2024-0282 | Azure Web PubSub Service should use private link | Azure Web PubSub Service |
| CSPM-AZURE-2024-0283 | Container registries should not allow unrestricted network access | Container Registry |
| CSPM-AZURE-2024-0284 | Container registries should use private link | Container Registry |
| CSPM-AZURE-2024-0286 | CosmosDB accounts should use private link | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-0287 | Disk access resources should use private link | Compute |
| CSPM-AZURE-2024-0289 | Event Hub namespaces should use private link | Event Hubs |
| CSPM-AZURE-2024-0290 | Internet-facing virtual machines should be protected with network security groups | Virtual Networks |
| CSPM-AZURE-2024-0291 | IoT Hub device provisioning service instances should use private link | IoT Hub Device Provisioning Service |
| CSPM-AZURE-2024-0292 | IP Forwarding on your virtual machine should be disabled | Virtual Networks |
| CSPM-AZURE-2024-0293 | Management ports should be closed on your virtual machines | Virtual Networks |
| CSPM-AZURE-2024-0294 | Non-internet-facing virtual machines should be protected with network security groups | Virtual Networks |
| CSPM-AZURE-2024-0295 | Private endpoint connections on Azure SQL Database should be enabled | SQL Database |
| CSPM-AZURE-2024-0296 | Private endpoint should be enabled for MariaDB servers | MariaDB |
| CSPM-AZURE-2024-0297 | Private endpoint should be enabled for MySQL servers | MySQL |
| CSPM-AZURE-2024-0298 | Private endpoint should be enabled for PostgreSQL servers | PostgreSQL |
| CSPM-AZURE-2024-0299 | Public network access on Azure SQL Database should be disabled | SQL Database |
| CSPM-AZURE-2024-0300 | Public network access should be disabled for MariaDB servers | MariaDB |
| CSPM-AZURE-2024-0301 | Public network access should be disabled for MySQL servers | MySQL |
| CSPM-AZURE-2024-0302 | Public network access should be disabled for PostgreSQL servers | PostgreSQL |
| CSPM-AZURE-2024-0303 | Storage accounts should restrict network access | Storage Resource Provider |
| CSPM-AZURE-2024-0304 | Storage accounts should restrict network access using virtual network rules | Storage Resource Provider |
| CSPM-AZURE-2024-0305 | Storage accounts should use private link | Storage Resource Provider |
| CSPM-AZURE-2024-0306 | Subnets should be associated with a Network Security Group | Virtual Networks |
| CSPM-AZURE-2024-0307 | VM Image Builder templates should use private link | Image Builder |
| CSPM-AZURE-2024-0325 | Display an explicit logout message | Microsoft Entra ID |
| CSPM-AZURE-2024-0326 | Provide the logout capability | Microsoft Entra ID |
| CSPM-AZURE-2024-0329 | App Service apps should have remote debugging turned off | App Service |
| CSPM-AZURE-2024-0330 | Audit Linux machines that allow remote connections from accounts without passwords | Guest Configuration |
| CSPM-AZURE-2024-0332 | Azure Spring Cloud should use network injection | Azure Spring Apps |
| CSPM-AZURE-2024-0336 | Function apps should have remote debugging turned off | App Service |
| CSPM-AZURE-2024-0394 | Auditing on SQL server should be enabled | SQL Database |
| CSPM-AZURE-2024-0406 | Virtual machines’ Guest Configuration extension should be deployed with system-assigned managed identity | Compute |
| CSPM-AZURE-2024-0476 | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | AKS |
| CSPM-AZURE-2024-0477 | Function apps should not have CORS configured to allow every resource to access your apps | App Service |
| CSPM-AZURE-2024-0490 | Linux machines should meet requirements for the Azure compute security baseline | Guest Configuration |
| CSPM-AZURE-2024-0492 | Windows machines should meet requirements of the Azure compute security baseline | Guest Configuration |
| CSPM-AZURE-2024-0528 | Geo-redundant backup should be enabled for Azure Database for MariaDB | MariaDB |
| CSPM-AZURE-2024-0529 | Geo-redundant backup should be enabled for Azure Database for MySQL | MySQL |
| CSPM-AZURE-2024-0530 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | PostgreSQL |
| CSPM-AZURE-2024-0531 | Geo-redundant storage should be enabled for Storage Accounts | Storage Resource Provider |
| CSPM-AZURE-2024-0532 | Long-term geo-redundant backup should be enabled for Azure SQL Databases | SQL Database |
| CSPM-AZURE-2024-0557 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Guest Configuration |
| CSPM-AZURE-2024-0558 | Audit Windows machines that do not store passwords using reversible encryption | Guest Configuration |
| CSPM-AZURE-2024-0563 | Key Vault keys should have an expiration date | Key Vault |
| CSPM-AZURE-2024-0569 | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Guest Configuration |
| CSPM-AZURE-2024-0570 | Audit Windows machines that do not have the maximum password age set to specified number of days | Guest Configuration |
| CSPM-AZURE-2024-0571 | Audit Windows machines that do not have the minimum password age set to specified number of days | Guest Configuration |
| CSPM-AZURE-2024-0573 | Audit Windows machines that do not restrict the minimum password length to specified number of characters | Guest Configuration |
| CSPM-AZURE-2024-0602 | Email notification to subscription owner for high severity alerts should be enabled | Defender for Cloud |
| CSPM-AZURE-2024-0609 | Subscriptions should have a contact email address for security issues | Resource Management |
| CSPM-AZURE-2024-0703 | Vulnerability assessment should be enabled on SQL Managed Instance | SQL Database |
| CSPM-AZURE-2024-0705 | Vulnerability assessment should be enabled on your Synapse workspaces | Synapse |
| CSPM-AZURE-2024-0765 | Windows Defender Exploit Guard should be enabled on your machines | Guest Configuration |
| CSPM-AZURE-2024-0766 | Azure DDoS Protection should be enabled | Defender for Cloud |
| CSPM-AZURE-2024-0767 | Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Network |
| CSPM-AZURE-2024-0771 | Azure Key Vault should have firewall enabled | Key Vault |
| CSPM-AZURE-2024-0782 | App Service apps should require FTPS only | App Service |
| CSPM-AZURE-2024-0783 | App Service apps should use the latest TLS version | App Service |
| CSPM-AZURE-2024-0784 | Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | HDInsight |
| CSPM-AZURE-2024-0785 | Enforce SSL connection should be enabled for MySQL database servers | MySQL |
| CSPM-AZURE-2024-0786 | Enforce SSL connection should be enabled for PostgreSQL database servers | PostgreSQL |
| CSPM-AZURE-2024-0788 | Function apps should require FTPS only | App Service |
| CSPM-AZURE-2024-0789 | Function apps should use the latest TLS version | App Service |
| CSPM-AZURE-2024-0791 | Only secure connections to your Azure Cache for Redis should be enabled | Redis Cache |
| CSPM-AZURE-2024-0792 | Secure transfer to storage accounts should be enabled | Storage Resource Provider |
| CSPM-AZURE-2024-0793 | Windows machines should be configured to use secure communication protocols | Guest Configuration |
| CSPM-AZURE-2024-0796 | Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Recovery Services |
| CSPM-AZURE-2024-0798 | Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) | Azure AI Services |
| CSPM-AZURE-2024-0799 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Healthcare Apis |
| CSPM-AZURE-2024-0800 | Azure Automation accounts should use customer-managed keys to encrypt data at rest | Automation |
| CSPM-AZURE-2024-0801 | Azure Batch account should use customer-managed keys to encrypt data | Batch Management |
| CSPM-AZURE-2024-0802 | Azure Container Instance container group should use customer-managed key for encryption | Container Instances |
| CSPM-AZURE-2024-0803 | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-0804 | Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Data Box |
| CSPM-AZURE-2024-0805 | Azure Data Explorer encryption at rest should use a customer-managed key | Azure Kusto |
| CSPM-AZURE-2024-0806 | Azure data factories should be encrypted with a customer-managed key | Data Factory |
| CSPM-AZURE-2024-0807 | Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | HDInsight |
| CSPM-AZURE-2024-0808 | Azure HDInsight clusters should use encryption at host to encrypt data at rest | HDInsight |
| CSPM-AZURE-2024-0809 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Machine Learning |
| CSPM-AZURE-2024-0810 | Azure Monitor Logs clusters should be encrypted with customer-managed key | Log Analytics |
| CSPM-AZURE-2024-0811 | Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Stream Analytics |
| CSPM-AZURE-2024-0812 | Azure Synapse workspaces should use customer-managed keys to encrypt data at rest | Synapse |
| CSPM-AZURE-2024-0813 | Bot Service should be encrypted with a customer-managed key | Bot Service |
| CSPM-AZURE-2024-0814 | Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | AKS |
| CSPM-AZURE-2024-0815 | Container registries should be encrypted with a customer-managed key | Container Registry |
| CSPM-AZURE-2024-0819 | Event Hub namespaces should use a customer-managed key for encryption | Event Hubs |
| CSPM-AZURE-2024-0822 | Logic Apps Integration Service Environment should be encrypted with customer-managed keys | Logic Apps |
| CSPM-AZURE-2024-0824 | Managed disks should be double encrypted with both platform-managed and customer-managed keys | Compute |
| CSPM-AZURE-2024-0826 | OS and data disks should be encrypted with a customer-managed key | Compute |
| CSPM-AZURE-2024-0828 | Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Log Analytics |
| CSPM-AZURE-2024-0829 | Service Bus Premium namespaces should use a customer-managed key for encryption | Service Bus |
| CSPM-AZURE-2024-0832 | Storage account encryption scopes should use customer-managed keys to encrypt data at rest | Storage Resource Provider |
| CSPM-AZURE-2024-0833 | Storage accounts should use customer-managed key for encryption | Storage Resource Provider |
| CSPM-AZURE-2024-0848 | Automation account variables should be encrypted | Automation |
| CSPM-AZURE-2024-0849 | Azure Data Box jobs should enable double encryption for data at rest on the device | Data Box |
| CSPM-AZURE-2024-0850 | Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | Log Analytics |
| CSPM-AZURE-2024-0851 | Azure Stack Edge devices should use double-encryption | Data Box Edge/Data Box Gateway |
| CSPM-AZURE-2024-0852 | Disk encryption should be enabled on Azure Data Explorer | Azure Kusto |
| CSPM-AZURE-2024-0853 | Double encryption should be enabled on Azure Data Explorer | Azure Kusto |
| CSPM-AZURE-2024-0855 | Infrastructure encryption should be enabled for Azure Database for MySQL servers | MySQL |
| CSPM-AZURE-2024-0856 | Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers | PostgreSQL |
| CSPM-AZURE-2024-0858 | Storage accounts should have infrastructure encryption | Storage Resource Provider |
| CSPM-AZURE-2024-0860 | Transparent Data Encryption on SQL databases should be enabled | SQL Database |
| CSPM-AZURE-2024-0861-01 | Virtual machines should have encryption at host enabled | Compute |
| CSPM-AZURE-2024-0861-02 | Virtual machine scale sets should have encryption at host enabled | Compute |
| CSPM-AZURE-2024-0864 | App Service apps should use latest ‘HTTP Version’ | App Service |
| CSPM-AZURE-2024-0865 | Function apps should use latest ‘HTTP Version’ | App Service |
| CSPM-AZURE-2024-0868 | System updates on virtual machine scale sets should be installed | Compute |
| CSPM-AZURE-2024-0869 | System updates should be installed on your machines | Compute |
| CSPM-AZURE-2024-0896 | Audit Windows machines that have the specified members in the Administrators group | Compute |
| CSPM-AZURE-2024-0897 | Audit Windows machines missing any of specified members in the Administrators group | Compute |
| CSPM-AZURE-2024-0910 | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | Compute |
| CSPM-AZURE-2024-0914 | Require encryption on Data Lake Store accounts | Data Lake Storage Gen1 |
| CSPM-AZURE-2024-0923 | Container Registry should use a virtual network service endpoint | Container Registry |
| CSPM-AZURE-2024-0925 | Cosmos DB should use a virtual network service endpoint | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-0928 | Key Vault should use a virtual network service endpoint | Key Vault |
| CSPM-AZURE-2024-0929 | SQL Server should use a virtual network service endpoint | SQL Database |
| CSPM-AZURE-2024-0930 | Storage Accounts should use a virtual network service endpoint | Storage Resource Provider |
| CSPM-AZURE-2024-0931 | Virtual machines should be connected to an approved virtual network | Compute |
| CSPM-AZURE-2024-0946 | Azure Monitor should collect activity logs from all regions | Monitor |
| CSPM-AZURE-2024-0955 | Virtual machines should have the Log Analytics extension installed | Compute |
| CSPM-AZURE-2024-0956 | The Log Analytics extension should be installed on Virtual Machine Scale Sets | Compute |
| CSPM-AZURE-2024-0959 | Azure Monitor log profile should collect logs for categories ‘write,’ ‘delete,’ and ‘action’ | Monitor |
| CSPM-AZURE-2024-0969 | Azure Key Vault Managed HSM should have purge protection enabled | Key Vault |
| CSPM-AZURE-2024-1002-01 | Audit VMs that do not use managed disks | Compute |
| CSPM-AZURE-2024-1002-02 | Audit Virtual Machine Scale Sets that do not use managed disks | Compute |
| CSPM-AZURE-2024-1009 | \[Preview\]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Kubernetes |
| CSPM-AZURE-2024-1012 | Azure Defender for open-source relational databases should be enabled | PostgreSQL, MySQL, MariaDB |
| CSPM-AZURE-2024-1013 | Azure Kubernetes Service clusters should have Defender profile enabled | AKS |
| CSPM-AZURE-2024-1026 | Terminate customer controlled account credentials | Microsoft Graph API |
| CSPM-AZURE-2024-1049 | Ensure that Azure virtual machine scale sets are configured for zone redundancy | Monitor |
| CSPM-AZURE-2024-1050 | Ensure that email notifications are enabled for virtual machine (VM) backup alerts | Recovery Services |
| CSPM-AZURE-2024-1051 | Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database | PostgreSQL |
| CSPM-AZURE-2024-1052 | Ensure that Azure OpenAI service instances are using managed identities | Azure AI Services |
| CSPM-AZURE-2024-1053 | Ensure that Azure Machine Learning workspaces are using system-assigned managed identities | Machine Learning |
| CSPM-AZURE-2024-1055 | Enable automatic failover for Microsoft Azure Cosmos DB accounts | Cosmos DB Resource Provider |
| CSPM-AZURE-2024-1056 | Ensure there are no custom owner roles within your Microsoft Azure account | Authorization |
| CSPM-AZURE-2024-1057 | Ensure that your Azure API Management APIs are configured to enforce HTTPS | API Management |
| CSPM-AZURE-2024-1058 | Enable High Business Impact feature for your Azure Machine Learning workspaces | Machine Learning |
| CSPM-AZURE-2024-1059 | Ensure that managed VNet isolation with Internet outbound access is enabled | Machine Learning |
| CSPM-AZURE-2024-1060 | Use User-Assigned Managed Identities for Azure API Management Services | API Management |
| CSPM-AZURE-2024-1061 | Use System-Assigned Managed Identities for Azure API Management Services | API Management |
| CSPM-AZURE-2024-1062 | Ensure that your Azure API Management API gateways are configured to use HTTP/2 | API Management |
| CSPM-AZURE-2024-1063 | To prevent certain resource types from being deployed ensure that “Not Allowed Resource Types” policy is assigned | Policy |
| CSPM-AZURE-2024-1064 | Ensure that named values are encrypted to prevent the exposure of secrets in Azure API Management | API Management |
| CSPM-AZURE-2024-1066 | Ensure that ‘Members can invite’ is set to ‘No’ | Microsoft Entra ID |
| CSPM-AZURE-2024-1067 | Ensure that ‘Guests can invite’ is set to ‘No’ | Microsoft Entra ID |
| CSPM-AZURE-2024-1068 | Ensure that managed VNet isolation with Internet outbound access is enabled | Machine Learning |
| CSPM-AZURE-2024-1070 | Enable Integration with Application Insights | API Management |
| CSPM-AZURE-2024-1071 | Ensure that all your Azure virtual machine instances are launched from approved machine images only | Compute |
| CSPM-AZURE-2024-1072 | Ensure that Azure virtual machines are configured to use system-assigned managed identities | Compute |
| CSPM-AZURE-2024-1073 | Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature | Compute |
| CSPM-AZURE-2024-1074 | Remove Unattached Virtual Machine Disk Volumes | Compute |
| CSPM-AZURE-2024-1075 | Enable App Service Authentication | App Service |
| CSPM-AZURE-2024-1076 | Enable Defender for APIs | Defender for Cloud |
| CSPM-AZURE-2024-1077 | Enable Microsoft Defender for Cloud Apps Integration | Defender for Cloud |
| CSPM-AZURE-2024-1078 | Enable Defender for Endpoint Integration with Microsoft Defender for Cloud | Defender for Cloud |
| CSPM-AZURE-2024-1079 | Check for Azure Advisor Recommendations | Advisor |
| CSPM-AZURE-2024-1080 | Enable Email Notifications for Backup Alerts | Advisor |
| CSPM-AZURE-2024-1081 | Enable Blob Storage Lifecycle Management | Storage Resource Provider |
| CSPM-AZURE-2024-1082 | Enable DDoS Standard Protection for Virtual Networks | Virtual Networks |
| CSPM-AZURE-2024-1083 | Enable Storage Auto-Growth | PostgreSQL |
| CSPM-AZURE-2024-1084 | Enable Automated Backups | App Service |
| CSPM-AZURE-2024-1086 | Monitor External Accounts with Write Permissions | Policy |
| CSPM-AZURE-2024-1087 | Check for Unused Load Balancers | Compute |
| CSPM-AZURE-2024-1087 | Check for Unused Load Balancers | Compute |
| CSPM-AZURE-2024-1089 | Enable Monitoring of Deprecated Accounts | Policy |
